As the holiday shopping rush transitions from Black Friday and Cyber Monday into a broader festive season, cybercriminals are seizing the moment to launch increasingly sophisticated attacks. Online shoppers are being targeted by malicious tools sold on dark web marketplaces, with everything from phishing kits to advanced 2FA-bypass methods being offered at alarmingly low prices.

Phishing kits, often free, allow criminals to easily clone websites and trick users into entering sensitive details. Fake e-commerce templates sell for as little as $50, while malware-as-a-service subscriptions go for about $150 per month. However, the most alarming tools are cookie grabbers, which cost $400 or more and enable attackers to steal session cookies directly from a user’s browser. These cookies can bypass two-factor authentication, granting attackers seamless access to user accounts.

Statistics reveal the scale of this threat: NordStellar researchers found over 54 billion cookies for sale on dark web platforms, with 30 million active session cookies capable of bypassing security systems. Such attacks are becoming increasingly attractive because they allow cybercriminals to avoid traditional credential-stealing efforts entirely.

The tactics employed are evolving. Cybercriminals set up fake shopping sites with anti-bot protections, fooling even the savviest users. These sites can bypass one-time passwords and 2FA protections, making them particularly potent. Nearly half of those who fall for such phishing attacks suffer financial losses.

According to Google, there are “numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks, [including] automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication.”

Shoppers are also urged to avoid storing passwords in browsers, clear cookies regularly, and stay vigilant for fake links and websites.
With cybercrime tools becoming more accessible, consumers must remain alert to avoid becoming victims during the busiest online shopping season of the year.